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DETAILED ACTION 
Response to Arguments 

Applicant's arguments and ammendments, see applicant's arguments/remarks page 16 of 20, 
filed 4/27/07, with respect to the rejection(s) of claim(s) 1, 6, 12, 17, 23, 28, 34, 39, 45, 47, and 48 under 
35 USC 102(e) have been fully considered and are persuasive. Therefore, the rejection has been 
withdrawn. However, upon further consideration, a new ground(s) of rejection is made in view of Saez, 
US Patent No. 6,966,002. 

Claim Rejections - 35 USC §112 

The following is a quotation of the first paragraph of 35 U.S.C. 112: 

The specification shall contain a written description of the invention, and of the manner and 
process of making and using it, in such full, clear, concise, and exact terms as to enable any 
person skilled in the art to which it pertains, or with which it is most nearly connected, to make 
and use the same and shall set forth the best mode contemplated by the inventor of carrying out 
his invention. 

1. Claims 2, 5, 11, 13, 16, 22, 24, 27, 33, 35, 38, and 44, are rejected under 35 U.S.C. 112, first 
paragraph, as failing to comply with the enablement requirement. The claim(s) contains subject matter 
which was not described in the specification in such a way as to enable one skilled in the art to which it 
pertains, or with which it is most nearly connected, to make and/or use the invention. Said claims recite 
the limitation, "said user device comprises a smart card including a virtual machine". There does not exist 
in applicant's specification any indication of a smart card including a virtual machine. Rather, the 
specification discloses a user device that includes a virtual machine and a smart card. Appropriate 
correction is required. 

The following is a quotation of the second paragraph of 35 U.S.C. 112: 

The specification shall conclude with one or more claims particularly pointing out and distinctly 
claiming the subject matter which the applicant regards as his invention. 

2. Claim 2, 5, 11, 13, 16, 22, 24, 27, 33, 35, 38, and 44 rejected under 35 U.S.C. 112, second 
paragraph, as being indefinite for failing to particularly point out and distinctly claim the subject matter 
which applicant regards as the invention. Said claims recite the limitation, "said user device comprises a 
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smart card including a virtual machine". It is unclear whether applicant intends the claim to mean that the 
user device comprises both a smart-card and a virtual machine or if the claim means the smart-card has 
the virtual machine inside itself. For purposes of examination, examiner interprets the claim to read that 
the user device comprises a smart-card and the smart card contains a virtual machine inside itself. 
Appropriate correction is required. 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 1, 3-4, 8-9, 12, 14-15, 19-20, 23, 25-26, 30-31, 34, 36-37, 41-42, 47-48, are 
rejected under 35 U.S.C. 103(a) as being unpatentable over Torrubia-Saez, US Patent 
No. 6,966,002, hereinafter Saez. 
As per claim 1,12, 23, 34, 39, 45, 47, Saez teaches: 

A method for enrolling for receipt of one or more obfuscated application programs, the method 
comprising: 

issuing an enrollment request comprising a target ID ["system identification information"], said enrollment 

request for receipt of one or more obfuscated application programs ["software product'] controlled by an 

application program provider ["server"], said target ID specifying a user device ["components of the 

users's computer"] configured to execute said one or more obfuscated application programs; 

[see col. 18, lines 6-9] "the server sends a software product, which is either an executable object 
or a data object, to the user's computer, in response to a request sent to the server from the 
user's computer" 
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[see col. 18] "In response to input from the user, an access control executable portion of the 
software product (if an executable object) or of the driver executable (if the software product is a 
data object) causes the user's computer to transmit a purchase request for partial or full access to 
the software product, and the server receives the purchase request Step 1240 follows, at which 
the server sends to the user's computer a program which generates system identification 
information based on data that is specific to the user's computer. For example, the data used to 
generate the system identification information may include serial numbers of such components of 
the user's computer as the hard disk, the network interface card, the motherboard, and so forth. 
The user's computer then sends to the server the resulting system identification information, as 
well as information, such as a credit card number, which is required to complete the transaction. 
This information is received at the server, as indicated at step 1250. Following step 1250 is step 
1260, at which the server validates the credit card information and generates a decryption key 
and/or a decryption executable program on the basis of the system identification information 
received from, and specific to, the user's computer." 

obtaining a secret in response to said issuing; and 

[see col. 1 8, lines 49-51 ] " The decryption key and/or decryption executable program are then 
transmitted to the user's computer from the server, as indicated at step 1270. 9 

associating said secret with said application program provider, said secret for use in executing said one 

or more obfuscated application programs received from said application program provider. 

[see col. 18, lines 52-55] u The decryption key and/or decryption executable program are then 
used in the user's computer to decrypt the software object to which the user has just purchased 
usage rights" 

Saez does not explicitly teach: 

The reception of said one or more obfuscated executable application programs occurs after obtaining a 
secret, which occurs in response to an enrollment request. In contrast, Saez teaches that the obfuscated 
executable application programs are received after the enrollment request is issued but before a secret is 
obtained. After further consideration, examiner determines that it would have been obvious at the time of 
the invention to one of ordinary skill in the art to which the subject matter pertains to modify the Saez 
invention in order to allow the system taught by Saez to receive the program after the secret is obtained. 
Sending the program after the secret is obtained would allow the server to encrypt the program based on 
the requestor's secret. The requestor can then receive the encrypted program and decrypt it accordingly 
using its secret. Examiner deems these processes of encryption/decryption are well known in the art. 



As per claim 3, 14, 25, 36, Saez teaches: 
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A method for enrolling for receipt of one or more obfuscated application programs, the method 
comprising: 

receiving an enrollment request comprising a target ID, said enrollment request for access by a user 

device to one or more obfuscated application programs, said target ID specifying said user device, said 

user device configured to execute said one or more obfuscated application programs; 

[see rejection of claim 1] 

determining a secret in response to said request; associating said secret with said target ID; and 

[see rejection of claim 1, "the server validates the credit card information and generates a 
decryption key and/or a decryption executable program on the basis of the system identification 
information received from, and specific to, the user's computer."] 

transferring said secret to said user device. 

[see col. 18, lines 49-51] "The decryption key and/or decryption executable program are then 
transmitted to the user's computer from the server, as indicated at step 1270. " 

As per claim 4, 15, 26, 37, Saez teaches: 

The method of claim 3 wherein said determining and said transferring form part of a key exchange 
protocol. 

[see rejection of claim 3, wherein the generating and transmitting of the decryption key are 
considered as forming part of a key exchange protocol.] 

As per claim 8, 19, 30, 41, Saez teaches: 

A method for application program obfuscation, the method comprising: 

determining a current obfuscation method based at least in part on a target ID, said target ID specifying a 

user device configured to execute said obfuscated application program; 

[see rejection of claim 1] "the server validates the credit card information and generates a decryption 
key and/or a decryption executable program on the basis of the system identification information 
received from, and specific to, the user's computer." 

The decryption key that will be generated is based in part on the payment authorized by user's credit card as 
well as system identification information. Depending on the amount of payment, user will be 
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authorized to use certain portions/versions of the software product. The appropriate decryption 

key will be generated allowing user access to said portions. 
creating an obfuscated application program based at least in part on said current obfuscation method; 
and 

[see col. 3] "a software package is provided, comprising: a software object having a first set of 
features and a second set of features, the first set of features being encrypted and the second set 
of features being unencrypted; and a signature readable by a predetermined executable serving 
to control access to the encrypted first set of features. " 

sending said obfuscated application program to said user device. 

[see rejection of claim 1] 

As per claim 9, 20, 31, 42, Saez teaches: 

The method of claim 8, further comprising receiving an application program request from said user 
device, said determining occurring in response to said receiving. 

[see rejection of claim 1, wherein the decryption key is generated after the user requests the 

software product] 

Claims 10, 11, 21 , 22, 32, 33, 43, 44, are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Saez as applied to claims 8-9 above, and further in view of Rusnak et 
al., US Patent No. 6,098,056. 

As per claim 10, 21, 32, 43: 

The method of claim 8 wherein said method further comprises, after said creating, applying a 
cryptographic process to said obfuscated application program together with a cryptographic key to create 
an encrypted obfuscated application program; and said sending comprises sending said encrypted 
obfuscated application program. 
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The Saez reference has been discussed above. Saez does not teach applying a cryptographic 

process to the obfuscated application program to create an encrypted obfuscated application program. 

Rusnak teaches doubly encrypting a document encryption key (DEK) as seen below: 

[see col. 3] "After authentication, the server decrypts the DEK with its private key; encrypts the 
newly encrypted DEK with TIH's public key; encrypts the decrypted key with the client's public 
key; and returns the doubly encrypted DEK to the client. " 

It would have been obvious at the time of the invention to one of ordinary skill in the art to modify 
the Saez invention to doubly encrypt the content being transmitted in order to authorize and authenticate 
both user and server, thus improving the overall security of the system. 

As per claim 11, 22, 33, 44: 

[see rejection of claim 2] 



Allowable Subject Matter 

Claims 2, 5, 11, 13, 16, 22, 24, 27, 33, 35, 38, and 44, would be allowable if rewritten to overcome the 
rejection(s) under 35 U.S.C. 112, 2nd paragraph, set forth in this Office action and to include all of the 
limitations of the base claim and any intervening claims. 

Conclusion 

Applicant's amendment necessitated the new ground(s) of rejection presented in this Office 
action. Accordingly, THIS ACTION IS MADE FINAL See MPEP § 706.07(a). Applicant is reminded of 
the extension of time policy as set forth in 37 CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE MONTHS from 
the mailing date of this action. In the event a first reply is filed within TWO MONTHS of the mailing date 
of this final action and the advisory action is not mailed until after the end of the THREE-MONTH 
shortened statutory period, then the shortened statutory period will expire on the date the advisory action 



• 
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is mailed, and any extension fee pursuant to 37 CFR 1 .1 36(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later than SIX 
MONTHS from the date of this final action. 



Any response to this Office Action should be faxed to (571) 273-8300 or mailed to: 

Commissioner for Patents 
P.O. Box 1450 
Alexandria, VA 22313-1450 

Hand-delivered responses should be brought to 

Customer Service Window 
Randolph Building 
401 Dulaney Street 
Alexandria, VA 22314 

*. Any inquiry concerning this communication or earlier communications from the examiner should 

be directed to Daniel L. Hoang whose telephone number is 571-270-1019. The examiner can normally 

be reached on Monday - Thursday, 8:00 a.m. - 5:00 p.m., EST. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's supervisor, 

Nasser Moazzami can be reached on 571-272-4195. The fax phone number for the organization where 

this application or proceeding is assigned is 571-273-8300. 

Information regarding the status of an application may be obtained from the Patent Application 
Information Retrieval (PAIR) system. Status information for published applications may be 
obtained from either Private PAIR or Public PAIR. Status information for unpublished 
applications is available through Private PAIR only For more information about the PAIR system, 
see http://pair-directuspto.gov. Should you have questions on access to the Private PAIR 
system, contact the Electronic Business Center (EBC) at 866-217-9197 (toll-free). 




Daniel L. Hoang 
8/02/07 




